Check Point Research, a company that provides leading cyber threat intelligence, has discovered malware permeating the Microsoft Store. The malware is being delivered via malicious clones of popular apps, mostly games, and has already been known to have infected more than 5000 machines.
The malware, dubbed Electron Bot, is a backdoor that provides the attacker with complete control over compromised machines. Electron Bot’s main capabilities as analyzed by CPR are:
- SEO poisoning, an attack method in which cybercriminals create malicious websites and use search engine optimization tactics to make them show up prominently in search results
- Ad Clicker, a computer infection that runs in the background and constantly connects to remote websites to generate ‘clicks’ for advertisements
- Promote social media accounts, to direct traffic to specific content and increase views and ad clicking to generate profits
- Promote online products to generate profits with ad clicking or increase store rating for higher sales
In addition, the malware’s payload contains functions that control social media accounts on Facebook, Google and Sound Cloud. It can register new accounts, log in, and comment on and “like” other posts ~ source
In its report, CPR has included the following list of publishers known to have released malicious game apps:
- Lupy games
- Crazy 4 games
- Jeuxjeuxkeux games
- Akshi games
- Goo Games
- Bizzon Case
- Read CPR’s report in full: Microsoft Store Malware
It appears Electron Bot is a malware-for-hire being sold to third parties who want to increase online profits illegitimately. It is important to note that, while the effects of the existing version of Electron Bot are not considered catastrophic, the code could easily be modified to fetch a secondary payload such as a RAT (Remote Access Trojan) or Ransomware. CPR advises users to:
- Avoid downloading an application with a small number of reviews
- Look for applications with good, consistent, and reliable reviews
- Pay attention to suspicious application naming which is not identical to the original name
Personally, I would recommend not downloading anything from the Microsoft Store for the time being. At least until Microsoft issues assurances that the malware has been cleaned out and the company has implemented a far more stringent/effective screening process.
How ironic is it that, while Microsoft is forcing obscure security protocols down Windows users’ throats, the company is seemingly unable to protect its own backyard? With the recent news that Google Play Store is hosting an Android banking trojan with over 50,000 installations to date, it seems these “app stores” are a major (and easy?) target for cybercriminals.